foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 06:19:00 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover/services/grafana: update settings

Browse Source
This commit is contained in:
Gabriel Arazas 2024-10-20 18:21:54 +08:00
parent a4fe1ef527
commit 493d241073
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
1 changed files with 30 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
configs/nixos/plover/modules/services/grafana.nix
View File

@ -41,17 +41,6 @@ in {
login_maximum_lifetime_duration = "14d"; login_maximum_lifetime_duration = "14d";
}; };
database = rec {
host =
"127.0.0.1:${builtins.toString config.services.postgresql.port}";
password = "$__file{${
config.sops.secrets."grafana/database/password".path
}}";
type = "postgres";
name = "grafana";
user = name;
};
log = { log = {
level = "warn"; level = "warn";
mode = "syslog"; mode = "syslog";
@ -98,17 +87,16 @@ in {
# If the user is not logged in, redirect them to Vouch's login URL # If the user is not logged in, redirect them to Vouch's login URL
error_page 401 = @error401; error_page 401 = @error401;
location @error401 { location @error401 {
return 302 http://${vouchDomain}/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; return 302 http://vouch-proxy/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
} }
''; '';
locations = { locations = {
"= /validate" = { "= /validate" = {
proxyPass = "http://${vouchSettings.vouch.listen}:${ proxyPass = "http://vouch-proxy";
builtins.toString vouchSettings.vouch.port
}";
extraConfig = '' extraConfig = ''
proxy_pass_request_body off; proxy_pass_request_body off;
proxy_set_header Content-Length "";
# These will be passed to @error_401 call. # These will be passed to @error_401 call.
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
@ -154,6 +142,18 @@ in {
ensureDBOwnership = true; ensureDBOwnership = true;
}; };
}; };
services.grafana.settings = {
database = rec {
host =
"127.0.0.1:${builtins.toString config.services.postgresql.port}";
password =
"$__file{${config.sops.secrets."grafana/database/password".path}}";
type = "postgres";
name = "grafana";
user = name;
};
};
}) })
(lib.mkIf hostCfg.services.vouch-proxy.enable { (lib.mkIf hostCfg.services.vouch-proxy.enable {
@ -168,16 +168,25 @@ in {
}; };
services.grafana.settings."auth.generic_oauth" = { services.grafana.settings."auth.generic_oauth" = {
api_url = authSubpath "oauth2/authorise";
client_id = "grafana";
client_secret = "$__file{${
config.sops.secrets."grafana/oauth_client_secret".path
}}";
enabled = true; enabled = true;
name = "Kanidm"; name = "Kanidm";
client_id = "grafana";
client_secret =
"$__file{${config.sops.secrets."grafana/oauth_client_secret".path}}";
allow_sign_up = true;
use_pkce = true;
use_refresh_token = true;
oauth_url = authSubpath "ui/oauth2"; oauth_url = authSubpath "ui/oauth2";
scopes = lib.concatStringsSep " " [ "openid" "email" "profile" ];
token_url = authSubpath "oauth2/token"; token_url = authSubpath "oauth2/token";
api_url = authSubpath "oauth2/openid/grafana/userinfo";
login_attribute_path = "preferred_username";
groups_attribute_path = "groups";
role_attribute_path = ''
contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'
'';
allow_assign_grafana_admin = true;
scopes =
lib.concatStringsSep " " [ "openid" "email" "profile" "groups" ];
}; };
}) })
]); ]);